QUESTION 113The network contains an Active Directory domain named contoso.com.The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2016. All client computers run Windows 10 and are domain members.All laptops are protected by using BitLocker Drive Encryption (BitLocker).You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.An OU named OU2 contains the computer accounts of the computers in the marketing department.A Group Policy object (GPO) named GP1 is linked to OU1.A GPO named GP2 is linked to OU2.All computers receive updates from Server1.You create an update rule named Update1.You enable deep script block logging for Windows PowerShell.In which event log will PowerShell code that is generated dynamically appear?

Answer: AExplanation:https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_scriptWhile Windows PowerShell already has the LogPipelineExecutionDetails Group Policy setting to log theinvocation of cmdlets, PowerShell’s scripting language hasplenty of features that you might want to log and/or audit.The new Detailed Script Tracing feature lets you enable detailed tracking and analysis of Windows PowerShellscripting use on a system.After you enable detailed script tracing, Windows PowerShell logs all script blocks to the ETW (event tracing forwindows) event log ?Microsoft-WindowsPowerShell/Operational.If a script block creates another script block (for example, a script that calls the Invoke-Expression cmdlet on astring), that resulting script block is logged as well.Logging of these events can be enabled through the Turn on PowerShell Script Block Logging Group Policysetting (in Administrative Templates -> WindowsComponents -> Windows PowerShell).

QUESTION 114Your network contains several Windows container hosts..You plan to deploy three custom .NET applications.You need to recommend a deployment solution for the applications.Each application must:– be accessible by using a different IP address.– have access to a unique file system.– start as quickly as possible.What should you recommend? Choose Two.

A. Type of container: Hyper-VB. Type of container: WindowsC. Number of containers: 1D. Number of containers: 2E. Number of containers: 3

Answer: BE

QUESTION 115You implement Just Enough Administration (JEA) on several file servers that run Windows Server 2016.The Role Capability file from a server named Server5 contains the following code.

Which action can be performed by a user who connects to Server5?

A. Create a new file share.B. Modify the properties of any share.C. Stop any process.D. View the NTFS permissions of any folder.

The “Set-SmbShare” cmdlet is then visible on Server5’s JEA endpoint, and allows JEA users to modify theproperties of any file share.https://technet.microsoft.com/en- us/itpro/powershell/windows/smbshare/set-smbshare

QUESTION 116Your network contains an Active Directory domain named contoso.com.The domain contains a computer named Computer1 that runs Windows 10.The network uses the 172.16.0.0/16 address space.Computer1 has an application named App1.exe that is located in D:\\Apps\\.App1.exe is configured to accept connections on TCP port 8080.You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate network.Solution: You run the New-NetFirewallRule ­DisplayName “Rule1” ­Direction Inbound ­LocalPort 8080 ­Protocol TCP ­Action allow ­Profile Domain Command.Does this meet the goal?

A. YesB. No

Answer: B

QUESTION 117Your network contains several secured subnets that are disconnected from the Internet.One of the secured subnets contains a server named Server1 that runs Windows Server 2016.You implement Log Analytics in Microsoft Operations Management Suite (OMS) for the servers that connect to the Internet.You need to ensure that Log Analytics can collect logs from Server1.Which two actions should you perform? Each correct answer presents part of the solution.

A. Install the OMS Log Analytics Forwarder on a server that has Internet connectivity.B. Create an event subscription on a server that has Internet connectivity.C. Create a scheduled task on Server1.D. Install the OMS Log Analytics Forwarder on Server1.E. Install Microsoft Monitoring Agent on Server1.

Answer: AEExplanation:https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gatewayOMS Log Analytics Forwarder = OMS GatewayIf your IT security policies do not allow computers on your network to connect to the Internet, such as point ofsale (POS) devices, or servers supporting IT services,but you need to connect them to OMS to manage and monitor them, they can be configured to communicatedirectly with the OMS Gateway (previous called “OMSLog Analytics Fowarder”) to receive configuration and forward data on their behalf.You have to also install Microsoft Monitoring Agent on Server1 to generate and send events to the OMSGateway,since Server1 does not have direct Internet connectivity.

QUESTION 118Your network contains an Active Directory domain.The domain contains two organizational units (OUs) named ProdOU and TestOU.All production servers are in ProdOU. All test servers are in TestOU. A server named Server1 is in TestOU.You have a Windows Server Update Services (WSUS) server named WSUS1 that runs Windows Server 2016.All servers receive updates from WSUS1.WSUS is configured to approve updates for computers in the Test computer group automatically.Manual approval is required for updates to the computers in the Production computer group.You move Server1 to ProdOU, and you discover that updates continue to be approved and installed automatically on Server1.You need to ensure that all the servers in ProdOU only receive updates that are approved manually.What should you do?

A. Turn off auto-restart for updates during active hours by using Group Policy objects (GPOs).B. Configure client-side targeting by using Group Policy objects (GPOs).C. Create computer groups by using the Update Services console.D. Run wuauclt.exe /detectnow on each server after the server is moved to a different OU.

Answer: BExplanation:Updates in WSUS are approved against “Computer Group” , not AD OUs.For this example, to prevent Server1 to install automatically approved updates,you have to remove Server1 from “Test” computer group and add Server1 into “Production” computer group inWSUS console, manually or use the WSUS GPOClient-Side Targeting feature.https://technet.microsoft.com/en-us/library/cc720450%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396With client- side targeting, you enable client-computers to add themselves to the computer groups you create inthe WSUS console. You can enable client-side targeting through Group Policy (in an Active Directory network environment) or byediting registry entries (in a non-Active Directorynetwork environment) for the client computers. When the WSUS client computers connect to the WSUS server, they will add themselves into thecorrect computer group. Client-side targeting is an excellent option if you have many client computers and want to automate the processof assigning them to computer groups.First, configure WSUS to allow Client Site Targeting.Secondly, configure GPO to affect “ProdOU” , so that Server1 add itself to “Production” computer group.https://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsusQUESTION 119Your network contains an Active Directory domain named contoso.com.The domain contains multiple servers that run multiple applications.Domain user accounts are used to authenticate access requests to the servers.You plan to prevent NTLM from being used to authenticate to the servers.You start to audit NTLM authentication events for the domain.You need to view all of the NTLM authentication events and to identify which applications authenticate by using NTLM.On which computers should you review the event logs and which logs should you review?

A. Computers on which to review the event logs: Only client computersB. Computers on which to review the event logs: Only domain controllersC. Computers on which to review the event logs: Only member serversD. Event logs to review: Applications and Services Logs\\Microsoft\\Windows\\Diagnostics- Networking\\OperationalE. Event logs to review: Applications and Services Logs\\Microsoft\\Windows\\NTLM\\OperationalF. Event logs to review: Applications and Services Logs\\Microsoft\\Windows\\SMBClient\\SecurityG. Event logs to review: Windows Logs\\SecurityH. Event logs to review: Windows Logs\\System

QUESTION 120Your company has an accounting department.The network contains an Active Directory domain named contoso.com. The domain contains 10 servers.You deploy a new server named Server11 that runs Windows Server 2016.Server11 will host several network applications and network shares used by the accounting department.You need to recommend a solution for Server11 that meets the following requirements:– Protects Server11 from address spoofing and session hijacking– Allows only the computers in We accounting department to connect to Server11What should you recommend implementing?

QUESTION 121You have a Hyper-V host named Server1 that runs Windows Server 2016.Server1 has a generation 2 virtual machine named VM1 that runs Windows 10.You need to ensure that you can turn on BitLocker Drive Encryption (BitLocker) for drive C:on VM1. What should you do?

Answer: CExplanation:https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/If you don’t use TPM for protecting a drive, there is no such Virtual TPM or VM Generation, or VM Configurationversion requirement, you can even use Bitlockerwithout TPM Protector with earlier versions of Windows.How to Use BitLocker Without a TPMYou can bypass this limitation through a Group Policy change. If your PC is joined to a business or schooldomain, you can’t change the Group Policy settingyourself. Group policy is configured centrally by your network administrator.To open the Local Group Policy Editor, press Windows+R on your keyboard, type “gpedit.msc” into the Rundialog box, and press Enter.Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > WindowsComponents > BitLocker Drive Encryption > OperatingSystem Drives in the left pane.

Double-click the “Require additional authentication at startup” option in the right pane.

Select “Enabled” at the top of the window, and ensure the “Allow BitLocker without a compatible TPM(requires a password or a startup key on a USBflash drive)” checkbox is enabled here.Click “OK” to save your changes. You can now close the Group Policy Editor window. Your change takes effectimmediately–you don’t even need to reboot.

QUESTION 122Your network contains an Active Directory forest named corp.contoso.com.You are implementing Privileged Access Management (PAM) by using a bastion forest namedpriv.contoso.com.You need to create shadow groups in priv.contoso.com.Which cmdlet should you use?

QUESTION 123Your network contains an Active Directory domain named contoso.com.The domain contains two servers named Server1 and Server2 that run Windows Server 2016.The Microsoft Advanced Threat Analytics (ATA) Center service is installed on Server1.The domain contains the users shown in the following table.

You are installing ATA Gateway on Server2.You need to specify a Gateway Registration account.Which account should you use?